• silicon.com
• Technology
• Mobile

By Jo Best, 20 February 2004 13:15

NEWS Recent news about bluesnarfing – using Bluetooth to hack into mobiles without leaving a trace of the intrusion – has revealed the possible security implications of the wireless technology.

Hacking tactics all too familiar from PCs could soon be making their way to mobiles, with phishing and denial of service attacks possible due to Bluetooth hacking tools that are freely available on the internet. Apart from allowing hackers free access to your data, a crafty criminal can now put 'snarfing' to work for profit.

All it takes is a laptop with Bluetooth, a premium rate phone line and some nifty social engineering to carry out some profitable scamming that would make the eBay phishers proud.

Scammers may pick a prime location, say an airport lounge or hotel and select some likely candidates. By sending a business card – perhaps something innocuous along the lines of 'Welcome to Heathrow's mobile information service' – and having it accepted by the user, a snarfer can 'pair' or link the two devices and gain control of another user's phone.

It would then be possible to use that phone to dial a premium rate number at £1.50 a minute and then either disconnect straight away or leave the phone connected for a couple of minutes. Unscrupulous scammers doing that a hundred times or so for a few days will soon get rich on their ill-gotten gains - and users should beware.

Anders Edlund, marketing manager of the Bluetooth Special Interest Group, said the problem is still "at the hypothetical stage", but told silicon.com that the interest in Bluetooth attacks was an asset to the industry.

"It's a good and healthy discussion to have. It alerts big manufacturers to security problems and in the long-term it benefits us all," he said, adding that he had heard of no snarfing attacks taking place and that new-to-the-market mobiles don't have the same vulnerabilities.

Some makes and models of phones are particularly vulnerable to attacks of this nature – Ericsson and Nokia have already been singled out for criticism – and with no fix on the way, the best method of avoiding snarfing is to disable your Bluetooth when you're not using it or change it to non-discoverable mode. Never accept any business cards unless you're 100 per cent sure of the sender and even then be careful and you should be snarf-free.

Another internet trick making its way into the world of mobile is the denial of service attack. It's possible, using roughly the same tools as the phishing scam, to scupper someone's mobile. Using a specially crafted message via Bluetooth, it's possible to cause a phone to crash and reset.

There's not much point to it, other than mischief, but in the past that's often proved all the motivation hackers need.

A Nokia spokeswoman said last week that the phone company knows about the various issues surrounding the handsets but still believes Bluetooth technology is secure.

"The Bluetooth standard has strong mechanisms built into it, encompassing authentication, authorisation and encryption," she said. "For communications or transactions requiring further security, Bluetooth developers will implement other mechanisms to achieve end-to-end security, as is used today for secure transactions over the internet. We trust the connection is secure for the applications for which it was intended."